Active Directory lookups from bound Mac without user credentials
I guess I'll answer my own question. For my needs it was in perl but it should be pretty obvious how to do the same in a straight shell script. I just needed to grab the machine credentials out of the ActiveDirectory.plist
sub get_LDAPEntries
{
my ($LDAPServer, $LDAPPort, $LDAPsearchbase, $LDAPfilter) = @_;
my $kerbID = `/usr/libexec/PlistBuddy /Library/Preferences/DirectoryService/ActiveDirectory.plist -c "print :'AD Computer Kerberos ID'"`;
chomp $kerbID;
my $password = `/usr/libexec/PlistBuddy /Library/Preferences/DirectoryService/ActiveDirectory.plist -c "print :'AD Computer Password'"`;
chomp $password;
my $LDAPSession = Net::LDAP->new($LDAPServer, port=>$LDAPPort);
$LDAPSession->bind($kerbID, password => $password) or die("Could not connect to LDAP server.");
my $results = $LDAPSession->search(base=>$LDAPsearchbase,filter=>$LDAPfilter);
$results->code && die "There was an error in the LDAP search: " . $results->error;
$LDAPSession->unbind;
my @LDAPEntries = $results->entries;
return @LDAPEntries;
}
Update: This only works on Snow Leopard (10.6). Lion (10.7) stores the AD password in the keychain and you will need to use the "security" command line utility to get to it... which is frankly kind of pain due to the password being output to stderr while the rest of the query is sent to stdout. I am going to decree Lion support as out of scope :-P